Introduction
When performing penetration testing, fuzzing is a critical technique used to discover hidden files, parameters, vulnerabilities, and even user authentication bypasses. One of the most powerful open-source tools for web fuzzing is Wfuzz. This tool is highly flexible, allowing security professionals to automate brute force attacks on web applications and uncover hidden endpoints.
In this blog post, we will explore Wfuzz, its capabilities, and some practical examples of how it can be used to discover vulnerabilities in web applications.
Installing Wfuzz
Wfuzz comes pre-installed on Kali Linux, but if you need to install it manually, you can do so using Python’s package manager:
pip install wfuzz
Once installed, you can verify it by running:
wfuzz --help
Basic Usage
1. Directory and File Discovery
A common use case for Wfuzz is to discover hidden directories and files on a web server. Attackers often exploit improperly secured endpoints that contain sensitive information.
Example:
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt --hc 404 http://example.com/FUZZ
Explanation:
-c: Enables colored output.-z file,<wordlist>: Specifies the wordlist to use for fuzzing.--hc 404: Hides responses with the 404 Not Found status.FUZZ: The keyword that Wfuzz replaces with words from the wordlist.
Example Output:
00002: C=200 12 L 329 W 1234 Ch "admin"
00007: C=200 14 L 312 W 1101 Ch "backup"
00015: C=200 18 L 402 W 1502 Ch "config.php"
This means directories or files such as /admin, /backup, and /config.php exist on the target web server.
2. Parameter Discovery
Web applications often use hidden GET/POST parameters that can reveal sensitive information. Wfuzz can help discover them.
Example:
wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 404 "http://example.com/search.php?FUZZ=test"
This will be replacing FUZZ with different possible parameter names, helping identify valid query parameters.
3. Fuzzing for SQL Injection
Wfuzz can also help test for SQL Injection vulnerabilities by inserting payloads into parameters.
Example:
wfuzz -c -z file,/usr/share/seclists/Fuzzing/SQLi.txt --hh 0 "http://example.com/index.php?id=FUZZ"
Explanation:
-z file,<SQL wordlist>: Uses a wordlist containing common SQL injection payloads.--hh 0: Hides responses with zero-length content.
If certain payloads return different responses, it may indicate an SQL injection vulnerability.
4. Testing for Open Redirects
Wfuzz can identify open redirect vulnerabilities, where an attacker could redirect users to a malicious site.
Example:
wfuzz -c -z file,redirect-payloads.txt --hc 404 "http://example.com/redirect.php?url=FUZZ"
If responses indicate successful redirects, the parameter may be vulnerable.
5. Brute-Forcing Login Forms
Another common use of Wfuzz is brute-forcing login credentials.
Example:
wfuzz -c -z file,usernames.txt -z file,passwords.txt --sc 200 "http://example.com/login.php?user=FUZZ1&pass=FUZZ2"
Here:
FUZZ1will be replaced by usernames fromusernames.txt.FUZZ2will be replaced by passwords frompasswords.txt.--sc 200: Displays results with HTTP 200 OK, indicating successful logins.
Conclusion
Wfuzz is an incredibly versatile tool for automated fuzzing in web application penetration testing. By using wordlists, filtering responses, and targeting different parameters, security professionals can efficiently identify vulnerabilities.
Key Takeaways:
- Directory fuzzing helps find hidden files and directories.
- Parameter fuzzing discovers GET/POST parameters.
- SQL Injection fuzzing detects potential database vulnerabilities.
- Open redirect testing helps spot security flaws.
- Brute-force attacks can test login authentication.
As with all penetration testing tools, ensure you have legal authorization before scanning any website.
Happy fuzzing!